I was wondering whether JtR is a good solution to test password strength. I'm not interested in actually finding the passwords (I'd rather not in fact), what I'd like is to run JtR in a way which would allow me to say "User A, I think you ought to choose a better password, it's really rather weak; user B, your password is decent but could be improved a little; user C, well done, your password is strong" in order to do a bit of user education. Is there a way to get JtR to only say how long it's been running when it's found a match rather than record the password in the .pot file? Is there a better way to do this? And no, before you say it, I know it'd be perfect if I could just say, passwords should respect such standards but that's unfortunately not an option currently.
Thanks
I do this all the time...
Using John to run a quick scan of a password file for my customers helps me stress the importance of better password policies. And it does allow some targeting of users with especially weak passwords.
If in an few minutes, I can come up with output like below, it's a good call-to-action:
I'm with everyone else - if you, with your tiny resources and limited patience, can find any passwords, then the attacker with a few (friends with) PC's with 8 Radeon R290X's each, who decides to spend a month or two on just your password file, and who is much, much more experienced than you, with better wordlists and rulesets, is definitely going to find them.
If you really insist on ranking by weakness, then do attacks in sequence, smallest exhaustive keyspace first. For instance (keyspaces are rough estimates, NOT precision calculations):
John the Ripper is a good tool, but it is not always the best tool.
Currently, for many hashes, oclHashcat is the best free tool I'm aware of, and the option to hide found passwords is a combination of
i.e. add to your command line
I usually pull in the result file
On the paid side, Elcomsoft has a wide variety of tools available; to cite one example, their Proactive Password Auditor, at least, has an option to hide found passwords.
In either case, budget at least one GPU of whatever type is best for the software you choose.
In any case, learn the various modes - pure Markov mode/brute force for limited character sets (including some keywalking sets), and then very quickly graduate to rules based dictionary attacks. Make dictionaries including common words at your company, phone numbers, addresses, the phone list, etc. and add that to common dictionaries like online Scrabble word lists, phpbb, insidepro, rockyou, crackstation, clearmoon247, or myslowtech.
If you need a dictionary with a clear license, while it's not good for cracking, the English Open Word List license is:
I'd think to iterate using brute force over a list/database of users cracking each of their passwords would be hugely wasteful and take a very long time.
Consider that you don't know much about their passwords, so you don't know if there's any letters, uppercase, lowercase, password length or special characters.
So within JTR you're going to have to specify a huge character set to work from and that could take (even on a fast server) several days, weeks or more to crack each password.
There's also user trust issues surrounding emailing them to let them know you've sussed their password and consider it to be weak.
It's best to just enforce minimum strength requirements when they're creating their password.